Configuration options for the root directory
In lines 316-319 of the httpd.conf file system configuration options for the root directory "/" the set. The agency said the configuration file looks like this:
Code:
<Directory />
Options FollowSymLinks
AllowOverride None
</ Directory>
I personally see no reason why the Apache, caused by disclosure of the FollowSymLinks option, the default symbolic links below. This behavior is particularly questionable, since this standard configuration is also such links or references are followed, which include the target file or directory does not target the same user that the link is real. This is a potential attacker is in principle possible to access files that are stored as the DocumentRoot defined list of outside. For this reason, I consider the following configuration makes more sense:
Code:
<Directory />
Options None
AllowOverride None
</ Directory>
If you still can not do without symbolic links in the root directory, you should limit the pursuit of symbolic links, at least those in which the owner of the destination file or the destination directory with the owner of the reference is identical:
Code:
<Directory />
Options SymLinksIfOwnerMatch
AllowOverride None
</ Directory>
The previous version is still probably safer. It is also useful for safety reasons, access to the root file system ("/") also point to restrict this. The best configuration at this point in the httpd.conf file is probably why:
Code:
<Directory />
Options None
AllowOverride None
Order allow, deny
Deny from all
</ Directory>
With this configuration are in part known as directory traversal, that is willful to prevent the entire directory tree of a server.
Bookmarks